[BlueOnyx:23151] Webmin security vulnerability

[Michael Stauber]

Hi all,

I know some here use Webmin, so I'd like to make you aware of the
following issue:

https://www.theregister.co.uk/2019/08/19/webmin_project_zero_day_patch/

Apparently they got a build box owned and the source code for Webmin got
amended with changes that weren't in the code repository.

---------------------
The bug at issue is a pre-authentication command-injection flaw in the
&unix_crypt function* used in the password_change.cgi file, used to
check the password against the system's /etc/shadow file. By adding a
pipe command ("|"), an attacker can execute remote code.

To be vulnerable, Cooper said, the Perl-based software must have the
Webmin -> Webmin Configuration -> Authentication -> Password expiry
policy set to Prompt users with expired passwords to enter a new one.

"This option is not set by default, but if it is set, it allows remote
code execution," he said.

That may be the case for most versions – the vulnerability exists in
versions 1.882 through 1.920 – but Webmin 1.890 is vulnerable in its
default configuration.
----------------------

-- 
With best regards

Michael Stauber